Having setup my lab's PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware's products to use as they require certain properties to be present in the certificates used.
There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab.
Template for VMware SSL Certificates
This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc.
Per the KB article, I duplicated the "Web Server" template as a starting point. My first task was to give the template a new name and set the validity to 4 years:
On … [Read more...]

A quick recap of where I got to. I have an offline Root CA (well, it's still online because I'll need it in a minute) and I've created a website on my online subordinate CA server to host the Root CA certificate and CRL files.
The purpose of the subordinate CA is to handle certificate signing and repudiation for all services in my infrastructure that require them. It will be granted the authority to do so by the Root CA. So this post covers the remaining steps of the process, which are:
Installing and configuring the subordinate CA
Signing the subordinate CA's certificate using the Root CA
Delegating control of the subordinate CA to someone other than Domain Admins
Some elements of this process are very similar to the process of … [Read more...]

Previously, I setup an offline Root CA in my homelab with the intention emulating a PKI setup that many enterprises seem to run.
The second stage of this process is publishing the Root CA certificate and CRL in a place that they can be accessed when the Root CA is offline. If you recall, I configured the Root CA to publish its CRL etc to a location on pki.o11n.lab. I now need to create that.
The Server
Rather than run my lab's online CA on a domain controller, which might be tempting but causes other issues, I have a domain joined server setup that will eventually become my online subordinate CA.
It's a vanilla Windows 2012 R2 server as before and a domain member.
DNS
The VM is called "ca-01", but I need to have pki.o11n.lab pointed … [Read more...]

Self-signed SSL certificates are all well and good but they're not meant to be for the real world. The trust issues they cause can be a headache on customer projects and anything that's going in to production shouldn't be using them.
For that reason, I thought it'd be better to change my homelab so that it uses a slightly more realistic PKI setup. The first phase of that is creating an offline Root CA as it's something that a good number of customers use too.
Step 1: DNS
From a DNS perspective, my homelab is split up so that anything physical and fundamental to the lab (e.g. storage / NAS, physical hosts, switches etc) lives in its own DNS domain (home.lab). Everything else from vCenter and AD downwards is in one or more other DNS … [Read more...]

I came across an interesting scenario recently where a node that is part of a Windows Cluster (hosting a SQL Cluster) on Windows Server 2012 R2 suddenly started reporting errors.
The node is part of a 2-node cluster with a 3rd VM acting as a file share witness for the cluster, and had just been moved between vApps in an IaaS / cloud environment to account for a DR provision (where DR is based on vApp membership, not at individual VM level).
Once rebooted, the cluster was showing some strange errors, and the cluster name had changed in the Failover Cluster Manager from 'MSCLUSTER.DOMAIN.LOCAL' to 'MSCLUSTER.MSCLUSTER'. On renaming the cluster manually, the ever helpful Microsoft error message (seen in the image attached to this post) … [Read more...]

I’m not going to go into exactly why (it’s a minor networking niggle following on from a change in broadband provider) but I wanted a simple HTTP proxy in my lab so that my lab VMs could get out on to the internet. Mostly for installing updates etc.
Since my NAS is ideally placed in my network I thought that I’d use that. It’s only a short-term thing anyway.
Now in order to get a proxy service on to the NAS, I needed to setup IPKG first. This allowed me to install and configure SQUID as follows:
1. Open an SSH session to the NAS
2. Download and install SQUID
3. Perform a couple of configuration commands
4. SQUID can now be started using /opt/etc/init.d/S80squid start
Now there may be some additional changes you … [Read more...]

Sometimes you want to install “community” or third party packages on your Synology NAS and they require IPKG (Itsy Package Management System) to be present. Instruction about how to go about this seem to vary and are often specific for the CPU inside your NAS. The easiest method that I’ve found for getting IPKG installed is as follows...
First job is to open an SSH session to the NAS and confirm what type of processor it has. This can be done using the following command:
For my DS1513+ it returns:
Next you need to dig around the site http://ipkg.nslu2-linux.org/feeds/optware/ to find the correct bootstrap for your architecture. In my case it’s … [Read more...]

I came across a customer site recently where their vCloud Director (vCD) 5.1 implementation was not reporting CPU utilization for Organisation Virtual Datacenters (Org VDCs). RAM and storage allocation was fine, just CPU was not showing a usage bar, and the mouse over tip reported 0% allocated.
Turns out this is a known issue with vCloud Director 5.1, and VMware have released KB 2054043 relating to this issue. Their advice (via the KB) is to:
Upgrade vCloud Director to version 5.1.2 or later.
Enable Elastic Allocation Pool mode for vCloud Director. To do this:
Login to vCD as a System Administrator user.
Navigate to Home > Administration > General.
Unter the Miscellaneous section, check the box next to 'Make … [Read more...]

With vCAC 6.0.x, there is a bug in the SSO appliance where several symptoms present all at the same time:
Authentication to AD or LDAP identity stores fails, returning the user to the blank authentication screen.
When logged-in to the default tenant as administrator (usually 'administrator@vsphere.local'), accessing tenant identity stores results in a 'System Exception' error.
Tenant Admins cannot add or edit identity stores.
This is a documented bug, as listed in VMware KB Article 2075011, and at the time of writing there is a workaround.
The issue as documented is the administrator account in the default tenant expires 90 days after implementation of the appliance. I came across this issue, and was for a while not … [Read more...]

This one stumped me for a little bit.
The private cloud in my lab is fairly simple in layout - 2 RHEL cells with a vCNS load balancer, shared NFS server and DB server. The Organisations are provisioned such that of the 3 tenants, one is a master tenant that is only used for creating and maintaining vApp templates, via a Public Catalog for sharing the templates for cloud provisioning and vCAC blueprint testing.
Running this configuration in with no changes to the default vCloud Director (vCD) roles worked fine - delegated LDAP users in the 2 user organisations were able to select vApp templates from the Public Catalog and deploy them locally. All good.
The issue came when the cells for vCD were upgraded to the latest v5.5.1 build. … [Read more...]